Not the End Yet: Europol and Global Partners Bulldoze Rhadamanthys, VenomRAT, Elysium and More in Operation Endgame
Published
Key Takeaways
- Massive takedown: Over 1,000 servers used by the Rhadamanthys, VenomRAT, and Elysium malware operations were dismantled.
- Arrests and seizures: The November action resulted in the arrest of a key suspect linked to VenomRAT and the seizure of 20 domains.
- Part of the Endgame: This disruption is the latest phase of Operation Endgame, a large-scale international effort to dismantle cybercrime infrastructure.
The latest phase of Europol’s Operation Endgame successfully dismantled key components of the Rhadamanthys infostealer, VenomRAT, and the Elysium botnet, resulting in domain and server seizures and an arrest.
This action has effectively crippled the operational capacity of these malicious networks, which were responsible for infecting hundreds of thousands of computers worldwide.
Rhadamanthys and VenomRAT Disruption Detailed
Hudson Rock’s co-founder & CTO, Alon Gal, yesterday signaled a message circulated among Rhadamanthys operators that advised an immediate cessation of activities, citing actions by EU police.
Europol said that this operation leg, conducted between November 10 and 14, 2025, resulted in:
- The seizure of 20 domains,Â
- The arrest of 1 person linked to VenomRAT,Â
- The takedown of 1,025 servers critical to malware.
The Rhadamanthys malware takedown was a central focus of the operation. This infostealer-as-a-service platform allowed cybercriminals to access and steal millions of stolen credentials and had access to over 100,000 cryptocurrency wallets belonging to victims.Â
The disruption was confirmed after the malware's developer warned users of losing server access, suspecting German law enforcement involvement.Â
Additionally, the VenomRAT Remote Access Trojan disruption included the arrest of a key suspect in Greece on November 3, 2025.Â
The Elysium botnet was also targeted, further broadening the scope of the crackdown on interconnected cybercrime services.
Impact on the Cybercrime Ecosystem
By taking down command-and-control servers, law enforcement agencies can neutralize threats on a large scale, protecting countless potential victims who may not even be aware their systems are compromised.
This operation, which targeted SmokeLoader, Bumblebee, TrickBot, IcedID, and more, demonstrates the continued success of Operation Endgame in targeting the foundational infrastructure used by cybercriminals.Â
Yet, the DanaBot malware recently resurfaced despite being dismantled about six months ago, and Fortinet noticed the return of SmokeLoader.
To determine if their systems were compromised by these malware strains, Europol has advised individuals to check designated online portals:
Cryptolaemus, Shadowserver and RoLR, Spycloud, Cymru, Proofpoint, Crowdstrike, Lumen, Abuse.ch, HaveIBeenPwned, Spamhaus, DIVD, and Bitdefender were named as Important contributing private partners.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular